We’re forwarding SEP logs to the external Syslog server for further analythis.
The SEP sends a lot of OK messages that we don’t want to see.
There were a massive amount of “The management server received the client log successfully” messages – I’ve filtered them out by disabling “System Client-Server Activity Log“.
Now i’m trying to folter out positive messages similar to those:
Aug 23 12:01:18 SEPS1 Local: 2,Local: 484D7EBF6F59,Remote: 220.127.116.11,Remote: ,Remote: 0,Remote: 01005E000016,8,Outbound,Begin: 2017-08-23 12:00:02,End: 2017-08-23 12:00:02,Occurrences: 5,Application: ,Rule: Allow IGMP traffic,User: monik,Action: Allowed
Aug 23 12:21:24 SEPS1 ,Local: 1900,Local: 01005E7FFFFA,Remote: 10.150.100.173,Remote: ,Remote: 63854,Remote: 00118575A6A3,UDP,Inbound,Begin: 2017-08-23 12:15:53,End: 2017-08-23 12:15:57,Occurrences: 8,Application: ,Rule: Allow UPnP Discovery from private IP addresses,User: johnt,Action: Allowed
Aug 23 12:03:05 SEPS1 Local: 61645,Local: 00155D02463E,Remote: 18.104.22.168,Remote: ,Remote: 20,Remote: 001C7F3DDD29,TCP,Inbound,Begin: 2017-08-23 11:58:41,End: 2017-08-23 11:58:41,Occurrences: 1,Application: C:/SmartFTP/SmartFTP.exe,Rule: Allow 172.16.2.46 FTP,User: app_ftp,Action: Allowed
Any other ideas how to set correctly Log Filters to get only risk/block messages will be highly appreciated.
Attached is the screenshot of current Log filter config.